Date: Wed, 28 Dec 2005 09:59:47 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Imran Imtiaz <imran@darkstar.thelakecity.com.pk> Cc: freebsd-questions@freebsd.org Subject: Re: ftp nologin problem Message-ID: <43B26213.5060504@infracaninophile.co.uk> In-Reply-To: <200512280736.jBS7aLRH079056@darkstar.thelakecity.com.pk> References: <200512280736.jBS7aLRH079056@darkstar.thelakecity.com.pk>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig98F1D657442D62F3B029AE4F
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
Imran Imtiaz wrote:
> I am running ProFTPD 1.2.10 on my bsd server but the problem is that if a user don't have a shell and I've defined his shell as nologin then the ftp server does not logon and give the following error
> C:\Documents and Settings\Asif>ftp 192.168.0.3
> Connected to 192.168.0.3.
> 220 ProFTPD 1.2.10 Server (ProFTPD Default Installation) [192.168.0.3]
> User (192.168.0.3:(none)): db.backup
> 331 Password required for db.backup.
> Password:
> 530 Login incorrect.
> Login failed.
> ftp>
>
> tell me how can I correct this problem cause I don't want to give user a shell.
Yes -- in order for a user to log in successfully via FTP they need:
* a user account
* a valid shell (appears in /etc/shells)
* not to be in the list of user accounts *denied* ftp access,
confusingly kept in /etc/ftpusers
I suspect it's point 2 that you are running into here. However, do not
just blindly add /sbin/nologin to /etc/shells -- any user account that
gets created on your system solely for the purpose of owning files or
processes will probably end up with nologin as its shell. Putting
nologin into /etc/shells potentially creates a back door by which those
accounts can be used with FTP.
Instead, take a copy of /sbin/nologin, call it /usr/local/bin/ftp-only
and use that as the shell for all ftp users. Add that to /etc/shells and
everything should work the way you want.
If you're trying to setup a highly secure mechanism for copying files over
the net for backup, then I'd counsel against using FTP at all -- it's one of
those archaic 'dawn of the internet' type protocols that does nasty things
like transmitting passwords over networks in plain text. Two much better
alternatives are:
WebDav over HTTPS -- very easy to use from the Windows desktop via
the 'map network location' feature. One gotcha is that if you're
using a self signed cert on your webserver then you have to click
on 'examine certificate' the first time you connect to the server,
and then click on 'accept this certificate' or Windows will silently
refuse to map the web location.
rsync or scp over ssh. On the Windows side, you'll need a SSH
client, like Putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/)
scp is built into Putty, but adding rsync capability will need you to
do a bit more work. You'll need to install rsync (Ports: net/rsync)
on your FreeBSD server, plus the Cygwin environment on your windows
machines ( http://www.cygwin.com/)
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig98F1D657442D62F3B029AE4F
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDsmIY8Mjk52CukIwRA4PWAJ9hQ5hx4PZW7PRyIIiUUV/QLD9rCACdFDik
iNfh7xj6vOiIykIwSTfbsvs=
=ddxb
-----END PGP SIGNATURE-----
--------------enig98F1D657442D62F3B029AE4F--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43B26213.5060504>